AWS cognito high security documentation change
Summary
Added new section 'Protect against SMS message abuse' with guidance about SMS pumping risks and mitigation resources
Security assessment
Explicitly addresses SMS pumping attacks (a known security/fraud vector) by adding documentation about risks of SMS message abuse and linking to AWS mitigation guidance. This indicates recognition of a specific security threat (artificially inflated traffic/SMS fraud).
Diff
diff --git a/cognito/latest/developerguide/user-pool-security-best-practices.md b/cognito/latest/developerguide/user-pool-security-best-practices.md index d96b2ddab..a6b1522f9 100644 --- a//cognito/latest/developerguide/user-pool-security-best-practices.md +++ b//cognito/latest/developerguide/user-pool-security-best-practices.md @@ -5 +5 @@ -Protect your user pool at the network levelUnderstand public authenticationProtect confidential clients with client secretsProtect other secretsUser pool administration least privilegeSecure and verify tokensDetermine the identity providers that you want to trustUnderstand the effect of scopes on access to user profilesSanitize inputs for user attributes +Protect your user pool at the network levelProtect against SMS message abuseUnderstand public authenticationProtect confidential clients with client secretsProtect other secretsUser pool administration least privilegeSecure and verify tokensDetermine the identity providers that you want to trustUnderstand the effect of scopes on access to user profilesSanitize inputs for user attributes @@ -14,0 +15,11 @@ AWS WAF web ACLs can protect the performance and cost of the authentication mech +## Protect against SMS message abuse + +When you permit public sign-up in your user pool, you can configure account verification with codes that Amazon Cognito sends in SMS text messages. SMS messages can be associated with unwanted activity and increase your AWS bill. Configure your infrastructure to be resilient against sending SMS messages under circumstances of fraud. For more information, review the following posts from AWS Blogs. + + * [Reduce risks of user sign-up fraud and SMS pumping with Amazon Cognito user pools](https://aws.amazon.com/blogs/security/reduce-risks-of-user-sign-up-fraud-and-sms-pumping-with-amazon-cognito-user-pools/) + + * [Defending Against SMS Pumping: New AWS Features to Help Combat Artificially Inflated Traffic](https://aws.amazon.com/blogs/messaging-and-targeting/defending-against-sms-pumping-new-aws-features-to-help-combat-artificially-inflated-traffic/) + + + +